Yahoo is now investigating claims that a hacker has stolen the credentials of 200 million Yahoo user accounts and put them up for sale on a dark web marketplace – The Real Deal. The hacker, who uses the moniker ‘Peace’, told the Motherboard website that he has been trading the data privately for a while but has now decided to openly sell it.

In a statement about the hack, Yahoo said:

“Yahoo works hard to keep our users safe, and we always encourage our users to create strong passwords, or give up passwords altogether by using Yahoo Account Key, and use different passwords for different platforms.”

The credentials are available on the dark web marketplace for three bitcoins, which is around £1,500. After being told by Motherboard that Yahoo wouldn’t or couldn’t confirm the data breach, Peace said it’s better “for me they don’t do [a] password reset.”

Peace said much of the data was most likely from 2012. After a bit of testing, Motherboard said that some of the usernames did correspond to real Yahoo accounts, but that when they tried to contact more than 100 addresses, many were returned to sender as undeliverable, citing a disabled or discontinued account.

While Yahoo investigates claims of the hack, it is recommended that readers with a Yahoo account act preemptively and change their password immediately. If Yahoo does disclose with the public that the hack really did take place, it’s almost certain they’ll get users to change their passwords too.